ITRE COMMITTEE ADOPTS REPORT ON NIS2
On 28 October, the European Parliament’s Committee on Industry, Research and Energy (ITRE) adopted its report on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (NIS2). The proposed NIS2 addresses the shortcomings identified in the existing NIS Directive and sets tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing.
During the review process of the NIS Directive, CLECAT particularly highlighted the wide discrepancies in its transposition throughout the Member States, especially regarding the scope of entities identified, as well as the respective thresholds, which have led to a patchwork of national legislation. In practice, this leads to an unlevel playing field and a distortion of competition, which urgently needs to be addressed. CLECAT stressed the importance to address the discrepancies in the national transposition of the NIS Directive as a priority, to guarantee a well-functioning single market, which ensures fair treatment of operators across all EU Member States.
The ITRE Committee’s report, representing the draft negotiating mandate, was adopted with 70 votes in favour, 3 against and one 1 abstention. MEPs also voted to open negotiations with the Council with 71 votes in favour, 2 against, and 1 abstention. The mandate will be announced in the plenary session on 10 November. According to the ITRE Committee’s position, Member States would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.
Compared to the current NIS Directive, the NIS2 would oblige more entities and sectors to take measures. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions. In addition, the new rules would also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers.
Contrary to the existing NIS Directive which allows Member States to identify operators of essential services (OES), the scope of NIS2 covers all medium-sized and large companies in selected sectors. Cybersecurity would become the responsibility of the highest managerial level. Concretely, the requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. Moreover, the NIS2 also establishes a framework for better cooperation and information sharing between different authorities and Member States and creates a European vulnerability database.
Source: European Parliament